Any user is has log viewing rights provisioned can read arbitrary files from the local filesystem as a limited privilege user. This can be used to read the confd log file and obtain root privilege SID values.

3. Technical Description

Any user who has permission to access the 'Logging & Reporting' functionality within the management application can read arbitrary files.

The logging of 'sid' values is also dangerous because it leaks session identifiers who may be of higher privilege. A 'sid' for the admin account can be used to change the root and loginuser passwords.

4. Mitigation and Remediation Recommendation

The vendor has addressed this vulnerability in version 9.503. Release notes and download instructions can be found at: https://community.sophos.com/products/unified-threat-management/b/utm-blog/posts/utm-up2date-9-503-released

5. Credit

This vulnerability was discovered by Matt Bergin (@thatguylevel) of KoreLogic, Inc.

6. Disclosure Timeline

2017.07.21 - KoreLogic submits vulnerability details to Sophos. 2017.07.21 - Sophos acknowledges receipt. 2017.09.01 - 30 business days have elapsed since the vulnerability was reported to Sophos. 2017.09.15 - KoreLogic requests an update on the status of this and other vulnerabilities reported to Sophos. 2017.09.18 - Sophos informs KoreLogic that this issue has been remediated in release 9.503 for UTM. 2017.10.24 - KoreLogic public disclosure.

7. Proof of Concept

See 3. Technical Description.

The contents of this advisory are copyright(c) 2017KoreLogic, Inc. and are licensed under a Creative CommonsAttribution Share-Alike 4.0 (United States) License:http://creativecommons.org/licenses/by-sa/4.0/

KoreLogic, Inc. is a founder-owned and operated company with aproven track record of providing security services to entitiesranging from Fortune 500 to small and mid-sized companies. Weare a highly skilled team of senior security consultants doingby-hand security assessments for the most important networks inthe U.S. and around the world. We are also developers of varioustools and resources aimed at helping the security community.https://www.korelogic.com/about-korelogic.html

Our public vulnerability disclosure policy is available at:https://www.korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.2.txt